HIPAA and data sharing: Rethinking both for the Digital Age

Ironically, HIPAA was written at a time when most providers were on paper charts and submitting paper claims. It established a framework for protecting patient information and focused heavily on the way providers shared patient information.

The subsequent HITECH (Health Information for Economic and Clinical Health) Act of 2009 focused on the promotion of electronic medical records and “meaningful use” in the health information technology sector.

Health Information Trust (HITRUST) Alliance

The rule: The most meaningful development related to security in EHRs has been the formation of the Health Information Trust (HITRUST) Alliance (2007). Simply put, HITRUST combines regulations and standards into a single overarching security framework.

Where to improve: HIPAA guidelines on security and protection of data and devices is vague and insufficient. It should incorporate the HITRUST guidance and certification process as a standard.

Organizations that obtain HITRUST certification or utilize business associates with HITRUST certification should obtain some type of credit in the event of a breach as they have taken additional steps to protect patient data.

Organized Health Care Arrangements (OHCA)

The rule: Since HIPAA was originally implemented, data is shared in a more robust manner through complex health information exchanges, accountable care structures and untold variations on the same. HIPAA allows for sharing through Organized Health Care Arrangements (OCHAs).

Where to improve: [OCHAs] are not well explained in HIPAA. I think HHS could expand on the use of OCHAs and better describe the permissible framework and operations of an OCHA. I have been involved in the formation of several OCHAs, but the concept is not clearly set out in HIPAA and there is no requirement to register an OCHA.

The lack of clarity surrounding OCHAs causes providers some anxiety because there is little guidance and the OCHA cannot be registered or approved. It really creates an elegant solution allowing an integrated network of providers to share information to improve patient outcomes and reduce redundancies in paperwork, diagnostics and care.

Notice of Privacy

The rule: Currently, patients are signing the [receipt of notice of privacy practice] at every doctor visit.

Where to improve: There has been a recent (spring 2018) proposal by the Department of Health and Human Services to eliminate the requirement that providers maintain the patient’s signed acknowledgement of the receipt of notice of privacy practice.

It would eliminate paperwork at patient sign-in and reduce paper waste. It is rarely read by the patient, and I’ve never encountered a case where a patient claimed they didn’t receive the notice of privacy.

With the advent of electronic medical records, the practice must scan the acknowledgement into the system or obtain an electronic signature in order to maintain the signature with the patient record. If there is a HIPAA breach, it is not in any way related to whether or not the patient received the notice of privacy. Elimination of this requirement would be a small but significant improvement.

Breach Reporting

The rule: Currently, providers who experience a breach of 500 or more patients must report it to the Office of Civil Rights, patients and the media. Those breaches are added to OCR’s breach reporting portal.

Where to improve: The OCR breach reporting portal needs significant work. It’s very primitive in the way it must be completed. It assumes that all breaches were either caused 100 percent by the provider or the business associate. It doesn’t really accommodate reporting of more complex breaches involving cyber incidents or the multi-factorial causes.

The other change needed is the threshold of whether the breach involves less than 500 patients or over 500 patients. With the aggregation of patient information in electronic systems, a cyber breach will frequently involve in excess of 500 patients. However, the nature of the breach may not be such that it truly requires public notice.

A recent article in the Frontiers of Health Services Management, indicates that 90 percent of hospitals have experienced at least one data breach over a recent two-year period. Given the high volume of data breaches, OCR cannot keep up with the reporting and patients become immune to the onslaught of notification letters they receive making the communication less meaningful.

Business Associate Agreements

The rule: Under HIPAA, “A covered entity [must] obtain satisfactory assurances from its business associate that they’ll appropriately safeguard the PHI it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”

Where to improve: HIPAA should clarify when BAAs are required. BAAs should not be required between healthcare providers that are both treating the patient. I have seen many situations where two covered entities argue over who is the business associate.

A business associate agreement is absolutely essential with vendors providing a service to the covered entity in order to ensure the vendor acknowledges the requirement to comply with HIPAA. A hospital and a physician should never need a business associate agreement between them.

The other extremely burdensome requirement is that the provider is required to keep a log of all business associate agreements. While there are many good reasons for keeping such a log, it’s not practical in most organizations unless there is a full-time HIPAA privacy officer and staff.